Charles J Gruener
2006-Nov-21 01:34 UTC
[Samba] Samba selectively obeying pam restrictions
Having a difficult problem getting my pam_access.so module enforced on a 3.0.22 version of Samba. Here is my /etc/pam.d/samba file: auth required pam_winbind.so debug account required pam_access.so account sufficient pam_winbind.so debug account include system-auth session include system-auth session required pam_winbind.so debug My /etc/pam.d/system-auth file: auth required pam_nologin.so auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_quota_xfs.so bsoftlimit=719688 bhardlimit=719688 session required pam_mkhomedir.so skel=/etc/skel.net umask=077 session required pam_unix.so And my associated /etc/security/access.conf file: -:ALL EXCEPT root user1:ALL Lastly, my /etc/samba/smb.conf file: [global] workgroup = DOMAIN realm = DOMAIN.LOCAL security = ADS allow trusted domains = No idmap backend = rid:DOMAIN=1000-1000000 idmap uid = 1000-1000000 idmap gid = 1000-1000000 template homedir = /home/%U template shell = /bin/false winbind cache time = 3600 winbind enum groups = No winbind enum users = No winbind use default domain = Yes obey pam restrictions = Yes syslog only = yes syslog = 0 use sendfile = yes store dos attributes = Yes disable spoolss = Yes [homes] browseable = No read only = No valid users = DOMAIN\%S create mask = 0700 directory mask = 0700 directory security mask = 0700 Basically, when I connect from a Macintosh, through the web using a Davenport client, or locally using the smbclient command as user2 (not listed in /etc/security/access.conf but does exist in domain) I get access denied. Perfect. Exactly what I want to have happen. # smbclient -L server -U user2 Password: session setup failed: NT_STATUS_ACCESS_DENIED # Syslog shows this: server pam_access[19333]: access denied for user `DOMAIN\user2' from `10.0.0.10' server pam_winbind[19333]: user 'DOMAIN\user2' granted access Not sure why pam_winbind gets called, but I haven't figured that one out yet. Now, when I connect from a Windows machine in the domain, user2 is allowed in. Not to mention, the computer connects and has a home directory created as well because of the pam_mkhomedir.so above. server samba(pam_quota)[19348]: Successfully setup quotas for UID 387093 server samba(pam_unix)[19348]: session opened for user MAIN\computer$ by (uid=0) server pam_winbind[19348]: libpam_winbind:pam_sm_open_session handler server samba(pam_unix)[19350]: session opened for user MAIN\user2 by (uid=0) server pam_winbind[19350]: libpam_winbind:pam_sm_open_session handler server samba(pam_unix)[19348]: session closed for user MAIN\computer$ server pam_winbind[19348]: libpam_winbind:pam_sm_close_session handler server samba(pam_unix)[19350]: session closed for user MAIN\user2 server pam_winbind[19350]: libpam_winbind:pam_sm_close_session handler So what gives? Why is it correctly parsing the "obey pam restrictions = Yes" for some connections and not for others? I don't see one try at pam_access in the Windows case. It goes immediately to pam_unix for some reason. Any thoughts? Incidentally, I tried putting a pam_access.so before the pam_unix.so line in my /etc/pam.d/system-auth and the results are the same. No mention of pam_access in the Windows connection case. Charles
Gerald (Jerry) Carter
2006-Dec-15 19:06 UTC
[Samba] Samba selectively obeying pam restrictions
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles J Gruener wrote:> Having a difficult problem getting my pam_access.so > module enforced on a 3.0.22 version of Samba. >...> Lastly, my /etc/samba/smb.conf file: > [global] > workgroup = DOMAIN > realm = DOMAIN.LOCAL > security = ADSI'm not sure that we actually enforce PAM on member servers. Simo was adapting a patch for security = domain. I'm not sure if it handled ads as well. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFgvHvIR7qMdg1EfYRAu6bAKCQi2C/GFtZh/HTkGsqD2KvDYilpwCeJdJm 57e2GE9QUtOovVnUQNpI7gE=h9Nq -----END PGP SIGNATURE-----